On Tue, Dec 9, 2008 at 9:01 AM, Benjamin Henne <[EMAIL PROTECTED]> wrote: > > is there a way to combine different user mappings from different > interceptos and let users choose which mapping to use? I think one > cannot do this with current combining algorithms, can one?
AFAIK, this is not possible using "out-of-the-box" GT4.2 authz configuration. > When I tried combining VOMS interceptor with gridmap authz I realized > that the current algorithms do not work as I expected them to work. > > Am I right? > * PermitOverride uses _first_ permit decision and its mapping > * DenyOverride denies based on _first_ deny decision > * both do not evaluate following decisions > * FirstApplicable returns first deny or permit decision Yes, that's right. > What about following scenario: > One wants to check VOMS credentials and DN-based user mapping. The user > shall be capabale to choose the mapping (localUserId for GRAM) if there > are more than one, independent of the user got only mappings from > grid-mapfile, VOMS interceptor, or both. The user doesn't choose the mapping, the PDP on the server-side decides what local account to use. The user can influence the PDP's decision by presenting a different certificate (containing different attributes). > This scenario is not possible to realize, is it? > DenyOverride and FirstApplicable are not applicable. > Using PermitOverride, if the user has both credentials (DN is in > grid-mapfile and he has valid VOMS credentials), always the mapping of > the first PDP is used. That's correct. If you want different behavior, you need to implement a custom combined interceptor.that implements that behavior. > The user can only influence decision by changing > his proxy (include and exclude VOMS credentials). I think that will always be true, regardless of the authz configuration on the server-side. The current implementation of the GridShibPDP does gridmap short-circuiting, that is, if the user's DN is in the gridmap file, the local account is obtained from the gridmap file regardless of any other information in the certificate. On the other hand, if the user's DN is NOT in the gridmap file, the local account is obtained by consulting an attribute mapping policy file that maps (SAML) attributes to accounts. A future implementation of the GridShibPDP will alter this behavior: http://bugzilla.globus.org/globus/show_bug.cgi?id=6497 The new GridShibPDP does not do gridmap short-circuiting. Instead the user's DN must be in the gridmap file *and* the SAML attributes (if any) must satisfy policy. I'm not sure how to handle account mapping in this case, however. How does the PDP decide which of multiple accounts is chosen? First-come, first-served? Tom